The Equifax breach and the others that have recently gotten headlines are relevant to all cybersecurity practices, especially in the IoT where we have fallen behind the mark several times on the security front.
According to CIS, a non-profit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats, attacks such as WannaCry and Equifax could have been prevented with a diligent implementation of its CIS Control 4: “Continuous Vulnerability Assessment and Remediation.” CIS Control 4 calls for IT managers to assess enterprise vulnerabilities on a regular basis, typically using automated tools, and fixing most critical vulnerabilities. It may be that Equifax also failed to properly inventory all of their hardware and software (CIS Controls 1 and 2) as well as conduct monitoring and analysis of audit logs (CIS Control 6).
Equifax has acknowledged its recent incident occurred due to the exploitation of a known vulnerability that had been identified in March 2017 as part of Apache's software called “Struts.” This vulnerability had been identified as a critical vulnerability, and a remedy was provided by Apache almost immediately. The May 2017 WannaCry cyber-attack was a similar story in that the ransomware in this case exploited another known vulnerability, this time in the Windows operating system. Most other high-profile breaches follow the same pattern: failure to implement basic cyber hygiene.
“Unfortunately, the Equifax breach is yet another example of what can happen if organizations are not vigilant about foundational cyber practices such as patching known vulnerabilities,” said Tony Sager, SVP and Chief Evangelist for the CIS Controls, CIS.
The CIS Controls were developed through a consensus process to prioritize essential technical actions all organizations should take to protect their systems and networks. They represent a foundational list of specific actions that can be used to implement the higher-level objectives in the NIST Cybersecurity Framework as well as cyber frameworks from the Payment Card Industry, International Organization for Standardization, and Institute of Electrical and Electronics Engineers. The State of California has already identified the CIS Controls as an expected practice for companies doing business within the state. The CIS Controls are available as a free download here.
“Organizations will continue to be at risk for cyber-attacks and breaches, but the solution is not rocket science; it's basic cyber hygiene like patching and scanning,” said Sager.
The CIS Controls and CIS Benchmarks are a global standard and stated best practices for securing IT systems and data against the most pervasive attacks. The proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities.
Ken Briodagh is a writer and editor with more than a decade of experience under his belt. He is in love with technology and if he had his druthers would beta test everything from shoe phones to flying cars.Edited by
Ken Briodagh
